Corporate Electronic Document & Records Management Strategy December 2007 Version 1.0 1 Document control Version control / history Name C Ives Description Version 1 Date 05 12 07 Approvals Name Position Date approved 2 TABLE OF CONTENTS Document control ............................................................................................................ 2 Executive summary ......................................................................................................... 4 Background: electronic records ....................................................................................... 6 Supporting the council’s business needs (drivers) .......................................................... 7 Findings: the current situation in the council ................................................................... 9 The Strategy .................................................................................................................. 11 Purpose ..................................................................................................................... 11 Scope ........................................................................................................................ 11 Aim/Vision .................................................................................................................. 13 Delivery ...................................................................................................................... 16 Policy ..................................................................................................................... 16 Information Architecture ......................................................................................... 18 Standards ............................................................................................................... 20 Technology ............................................................................................................ 21 Implementation....................................................................................................... 23 Priorities ................................................................................................................. 25 Alignment with other strategies/initiatives .................................................................. 25 Alignment with other council policies ......................................................................... 25 Considerations in delivering the Strategy .................................................................. 26 Next Steps ................................................................................................................. 26 Appendix 1: Planning the work programme ................................................................... 27 Appendix 2: Level 1 & 2 of the Local Government Classification Scheme .................... 30 Appendix 3: ESD Lists................................................................................................... 32 Appendix 4: External factors affecting SCC’s records management ............................. 34 3 Executive summary In early 2007, as part of the wider reaching Corporate Records Management Strategy, the Corporate Records Officer, (CRO) initiated a project to investigate more thoroughly the council’s ability to manage its electronic documents and records effectively. This was in response to a number of factors, but primarily was due to the increasing volume of electronic records being created along with the growing demand to manage these more efficiently and effectively to better support the council’s changing business needs, (agile/partnership working, information sharing). Over the last 4 months the CRO, in consultation with the Electronic Document and Records Management (EDRM) Strategy Steering Group, 1have considered the results of this analysis and investigated a number of options with a view to developing a Corporate EDRM Strategy that will ensure support for the creation and management of sustainable records that will meet the council’s requirements in both the short and long-term. The Strategy sets out the council’s key goals: To ensure that the council’s documents and records are ‘useable,’ (as defined in detail in the Strategy) to the council’s stakeholders, (staff, councillors, citizens and partnership organisations) That where legitimate access is required that they sufficiently support improved service delivery To ensure that the overheads of managing documents and records as corporate assets are reduced to a minimum The Strategy is based on the recommendations evolved from the aforementioned investigations to: 1. Establish SharePoint as the corporate collaboration platform that will facilitate the process of document creation/collaboration (drafts) AND 2. Initiate a project to procure a SharePoint compatible, corporate EDRM solution with records management and bulk scanning functionality to act as a centrally managed repository The Strategy: Identifies a number of key components, (Technology, Information Architecture, Policy, Standards and Implementation Methodology) and additional recommendations that will be needed to deliver the above, if the true benefits of a corporate approach to EDRM are to be realised and exploited. 1 Representatives of corporate record systems, ICT and chaired by the Director of Change. 4 Proposes that these might be delivered via an over-arching EDRM programme delivered over the next 3-5 years that is made up a distinct number of short and long-term projects, (with various dependencies to be taken into consideration). SharePoint EDRM Programme Information architecture/ standards/ policies Core information architecture, standards and policies (file-plan, retention policy, metadata standard) EDRMS SharePoint development and roll-out Development of EDRMS business case, (including statement of requirements) Bespoke (local) information architecture, standards and policies (file-plan, retention policy, metadata standard) Configuration and implementation of EDRMS Highlights the need for the Strategy and any resulting programme to be acknowledged as more than the implementation of a technical solution, but rather as a corporate wide change management programme that will look at how the council can improve the way that it works. 5 Background: electronic records The council creates and keeps records for a reason; to support operational requirements so that it can function effectively and ensure compliance with its legal, regulatory and statutory obligations. However the way in which this is being done is changing as the council responds to: The Transformational Government Agenda Technological developments/advancements Rapidly changing need to: o Improve service delivery o Make efficiency gains o Work collaboratively with multi-agency partners o Demonstrate transparency and accountability o Encourage greater democratic engagement The result is that an increasing amount of council work is now being conducted electronically and thus fuelling the growth in: ‘Unstructured,’2 electronic records and documents that are created using office applications such as MS Word, PowerPoint, etc (including email, web-pages, audio-visual records3) that can then be stored in a variety of locations (shared drive, personal drives, email inboxes, portal sites, intranet, databases, back-up tapes, CD/DVD’s, USB sticks, etc.) ‘Structured’ database records held in various line of business applications (e.g. SAP) Paper records/documents that have been//could be converted (scanned) to electronic format While electronic records are similar to paper records in that they can support the council’s business and legal requirements, they can also offer many additional advantages to the council: Quick to update/change (saving time/improving accuracy) Enhanced search and retrieval facilities (quicker to find) Increased accessibility (supporting remote/multiple users, information sharing) Easily re-usable content (cut and paste, re-using information) Reduction in duplicated/paper records and associated costs, (e.g. effort, photocopying consumables, physical storage, transport and waste disposal) Enhanced transparency and reporting (audit trails) Support e-service delivery Enhanced security features (permissions/controls) 2 Not in structured database format, e.g. emails, reports, minutes, agenda, etc. 3 e.g. voice/meeting recordings 6 In order for these benefits to be truly realised, it is paramount that electronic records are appropriately managed from the point of their creation, as after this point they can prove more difficult to manage because: They are dependent on hardware and software that over time will become obsolete or superseded, which may make them physically inaccessible over time if left un-managed. (This means that their management not only relies on the user’s procedures but also the management of the technology itself, which demands a pro-active approach to records management) The advantages of their flexibility to allow information to be changed, updated and re-used, may also undermine their credibility as reliable and authentic sources if appropriate controls are not also put in place (e.g. audit trails, access/security permissions) The proliferation of different formats held in different information systems with limited interoperability may mean that there is no joined up way of accessing and managing the information across these silos Supporting the council’s business needs (drivers) In addition to overcoming these common problems, the importance of managing the council’s documents and records as information assets cannot be underestimated if the council is to meet growing demands to: Provide flexible options for the way that council staff work (Agile Working) Support information sharing across the council, (single customer) and with its partners, including (SALIX, Urban Vision, Partners In Salford, NHS, GMP, etc) Support the council’s knowledge management aspirations in developing supporting tools, (e.g. Information Observatory) Respond effectively to change (technological developments, changes in legislation, government agenda, organisational re-structures, such as Electronic Social Care Record, ContactPoint) Support delivery of the initiatives put forward by the ‘Strong and Prosperous Communities,’ whitepaper Respond to the increased emphasis on sharing services and information with partners in the emerging Local Area Agreement 2, (2008) Support major service and transformational strategies of the council, including Building Schools for the Future and ONE SALFORD Support the continuing drive for council efficiencies Support business change and enable more efficient delivery of services Meeting stakeholder expectations of how they should be able to access information and services (more relevant information more quickly and securely) Satisfy the Audit Commission’s CPA process (provide reliable evidence of performance and meet criteria for efficient use of resources and cross working) Ensure continued compliance with Data Protection, Freedom of Information and all other relevant legislation Meet the requirements of the Section 46 Code of Practice on Records Management (issued under the Freedom of Information Act) 7 Meet the continuing e-Government agenda, priority service outcomes, (particularly G19) and citizen take-up Address the council’s information security needs regarding compliance with ISO/IEC27001:2005 Address the council’s responsibility under Section 224 of the Local Government Act, 1972, that requires, ‘proper arrangement,’ of records and archives 8 Findings: the current situation in the council An initial assessment4 of the council’s records management in September 2006 identified the council’s need to address Electronic Document and Records Management, (EDRM) in response to a growing number of internal and external drivers5. Since then: Regular self-assessments6 measuring compliance with the Lord Chancellor’s Code of Practice on Records Management7 has highlighted the council’s continued need to address its ‘active records management’ e.g. practice and provisions for managing records more effectively A gap analysis8 was undertaken (in Summer 2007) to assess the records management capabilities of the following council systems that were identified as holding and dealing with unstructured records in a variety of web based stores, document imaging systems and line of business applications: ICLipse CareStore Docuware PaperMaster SAP FLARE CRM (used in various departments across the council) (Community, Health & Social Care and Childrens Services) (Audit) (Environment –team only) (Corporate wide) (Environment) (Corporate wide) The (above) were assessed against the core requirements of the Lord Chancellors Code of Practice for Records Management (issued under Section 46 of the Freedom of Information Act (2000) and the National Archive’s Functional Requirements for Electronic Records Management Systems, (2002)). The result showed that collectively the systems only achieved the following degree of compliance: Capture and creation 27% Version Control 33% Declaration as a record 14% Arrangement (classifications) 20% Security & Access 22% Management 12% Search & Retrieval 13% Distribute and Publish 17% Presentation 7% Storage, back-up and archiving 14% 4 ‘Preliminary Investigation: Identifying SCC’s records management priorities,’ – (that was undertaken by the Corporate Records Officer taken to Lead Member on 11th September 2006) 5 See Appendix 4. 6 Self-assessment workbook issued by the National Archives 7 Issued under Section 46 of the Freedom of Information Act, (2000). 8 For more detail please see ‘Gap Analysis Report’ & ‘Detailed Findings.’ 9 Review and disposal Audit trail 1% 29% The gap analysis report concluded that: The existing infrastructure of silo systems is not conducive to meeting the aims of the council because it does not provide: o o o o A joined up way of effectively managing records and information across the different systems/ teams (including back-up/archiving, reduction of duplication) Flexible corporate spaces for sharing/publishing information that would support collaborative work and supporting the One Council agenda and the notion of virtual teams Information tools and standards to help staff use the council’s information assets to their full potential (re-use content, reporting) Controls to give assurance to users that documents they create will be protected from change/deletion (perpetuating personal storage) Among this myriad of solutions that were assessed as part of the gap analysis, none adequately met the council’s growing information and records management needs, as well as the wider knowledge management aspirations In addition to the silos of shared/personal folders holding corporate information and records on the network (including Outlook mailboxes) there is currently no defined strategy at a corporate level that oversees the implementation of any record keeping systems to standards that ensure adequate capture and management of these business records for the benefit of the council as a whole (instead focused on local needs) With accommodation pressures and the need for the right information in the right place, at the right time; the need to improve the current situation in terms of both improving the accessibility, availability and management of electronic records as well as a developing a strategy for converting paper records to an electronic format (scanned image) where there is a valid business case - has become paramount In response to these identified gaps, a number of options were considered: 1. Using SharePoint 2007 for EDRM 2. Using a dedicated EDRM solution for EDRM 3. Do nothing (continue to allow silo solutions) The resulting Evaluation Report recommended the need to: 3. Establish SharePoint as the corporate collaboration platform that will facilitate the process of document creation/collaboration (drafts) AND 4. Initiate a project to procure a SharePoint compatible, corporate EDRM solution with records management and bulk scanning functionality to act as a centrally managed repository 10 The Strategy Purpose This strategy sets out the council’s aspiration to gain control of all its documents and records held in multiple repositories in a consistent manner and how implementing the recommendations of the Evaluation Report (previous page) can be practically realised. In developing the strategy the council is committing to: A cultural and organisational change to improve the way that the council works The adoption of a planned and consistent approach to electronic records management across the council The development of a framework of systems, standards and policies for managing all electronic records now and in the future Scope The Strategy will cover the whole EDRM process as defined below 11 However it will not simply be about the technology, e.g. an EDRM System (EDRMS), but it will be about providing a complete EDRM framework and will also encompass: Principles and standards Policy/procedures (e.g. retention and disposal policy) Design of record-keeping systems (both the technical solutions and design of information architecture – e.g. corporate file plan) Implementation (configuration of systems in line with all business requirements, methodologies for management of EDRM and information management projects, governance arrangements and training) In addition, although the strategy primarily concerns all unstructured electronic documents and records such as Word documents, email, web-pages, it has also been expanded to include: Non-electronic records that can be managed electronically either by being scanned or as a paper format that can be tracked in an electronic information asset inventory9 Structured records held in databases, (e.g. SAP, FLARE, Citizen) that need to be managed according to the same principles The strategy will primarily need to apply to all directorates within the council. It will however need to take into account the needs of SCC partners using SCC systems to hold access and manage the council’s records and information. 9 This will also help to better manage ‘hybrid records,’ e.g. those are made up of both electronic and paper components – as is often found with case files. 12 Aim/Vision The aim of the strategy is to ensure that all records and documents throughout their life-cycle are, “USEABLE,” (as defined below) so that their true value can be realised throughout the council by those who have a legitimate right to access and use them. Up to date Sustainable Easy to manage Accessible Be trusted Legally compliant Ever available For electronic records this means managing them from the point of their creation or capture; as any decision on their treatment may affect their ability to be ‘useable’ in the long-term. In principle this means that all documents and records should be proactively managed to ensure that they are: Up to date Sustainable Easy to manage/use Requirement Created/ captured in a timely and effective manner to ensure accuracy and completeness Able to be updated if necessary but only in a controlled manner Able to transparently demonstrate that changes have occurred so that users can make informed decisions based on previous and current information Retained only as long as is necessary for defined business or legal purposes Physically accessible in their entirety as a complete record, (content and metadata) in the long term (if necessary) even though the technology on which they were created may be obsolete Comprehendible over time so that the content still makes sense in the long-term, (if necessary) Able to act as the corporate memory and sustain knowledge over time Captured by the most efficient means of serving both departmental and corporate needs Supported by corporately agreed policies and standards Managed consistently according to these policies and standards by those staff responsible for each record/set Managed with minimum effort and cost as part of an integrated business process Able to support improvements to service delivery where necessary Recommendation 1,4, 9,11,12,13,14,15, 1,3,4,6,11,12,13,15 1,2,4,6,7,8,10,11,12,13 ,14,15,16 13 Requirement Able to support re-use of information content where permissible Easy to find by: Browsing (logically) through a corporate file-plan Searching/browsing for a document/record title Searching on a keyword contained in the text Searching on a controlled vocabulary term that it has been assigned Searching on detail about the document/record itself, (metadata) such as creator, date, etc Recommendation Accessible Be trusted Legally compliant Ever available Able to demonstrate that they have been managed securely and protected from any unauthorised changes, (intentional or accidental) Able to demonstrate when, who, why they were created so that users can make an informed judgement on the reliability and accuracy of their contents Compliant with the requirements of the Data Protection Act where personal data is concerned Managed effectively to meet the council’s obligations under various ‘access to information regimes, ‘such as Freedom of Information (FOI) Environmental Information Regulations Used and re-used appropriately within the constraints of the law, (e.g. Council Tax regulations) Able to meet the standards required by internal and external auditors Able to demonstrate a level of authenticity that is required to ensure maximum evidential weight is attributed to it in a Court of Law For those containing ‘sensitive information,’10 available only under controlled means to those within the council with a legitimate need to access For all other ‘non-sensitive information,’ made available for open access across the council where there is no genuine security restriction. (In principle if the information would be disclosable to the public under FOI, then there is little justification to keep it restricted within the council) Available remotely Available simultaneously (supporting multiple user access) Backed up with appropriate contingencies in place (business continuity plan and disaster recovery plan, especially for those designated as ‘vital records’11) Easily located and available on request if only held in 1,4,6,7,8,9,10,14,15,16 a,16d 1,4,5,6,9,11,12,13,15,1 6c 1,2,4,5,9,11,12,13,15,1 6c 1,3,4,6,7,8,9,11,12,13, 14,15,16 10 Personal data or business sensitive information that would be exempt under FOI. 11 Those records that if lost would result in major impact on the whole council’s ability to function, protect its assets or result in substantial financial loss. 14 Requirement paper forma Where viable converted to electronic format (either by being captured electronically or converting the paper to a scanned image) Recommendation 15 Delivery There are several strategic initiatives recommended to deliver this vision and they have been arranged in the following categories: Policy Information architecture Standards Technology Implementation It is envisaged that these initiatives and the detailed recommendations (below) will be implemented via the EDRM Programme as a number of individual projects that may be run both consecutively and concurrently as appropriate; but each aligned to delivering the Strategy overall. (Appendix 1 contains a list of suggested projects, although the implementation of any recommended actions will be determined in a separate work-plan). Policy 1. Develop and implement a Corporate EDRM Policy a) Outline corporate commitment to a corporate solution that will seek to meet both individual and corporate business needs b) Outline a corporate approach to EDRM c) Articulate responsibility for compliance with the policy 2. Develop and implement a corporate retention and disposal policy that outlines all record types held in the council and the conditions, (preferred format, time period, storage) for their retention a) Review with each business area the recommended periods for relevant local authority record types as suggested by the Records Management Society of Great Britain b) Identify archiving requirements in light of the above c) Review and refine the above with the business area and with legal d) Establish a mechanism for having these signed off by both the business manager and legal e) Establish an accessible means for staff to be able to consult this document f) Establish a procedure for keeping this policy updated (regular review) g) Establish a mechanism for ensuring that this policy is made active in the business areas and that there is a way that stakeholders can update its contents as and when necessary 3. Develop and implement a digital preservation strategy to future proof the availability of those documents and records that have been identified (above) as being required to be kept for over 5 years for either business, legal or historical reasons. a) Review use of PDF/A as a preferred long term file-format 16 b) Consider benefits of open source technology to avoid dependency on proprietary support for accessing held documents and records c) Establish preferred storage medium (digital archive) d) Establish a mechanism for regular review of support for formats e) Establish a procedure for regular review of long-term records (to ensure that their metadata etc are still adequate for the purposes of use and retrieval) f) Ensure ESCROW arrangements are in place, to ensure that a copy of the source code to the software is deposited with an escrow agent for business continuity purposes in the event of insolvency, etc g) Establish an individual risk- based12 migration plan, (based on the migration strategy) at the point of creation for any types of records that are likely to be kept longer than 10 years h) Consider the need for an XML strategy for both migration and re-use of information 4. Develop and implement an Email Management Policy a) Establish a framework (repository, classification scheme, guidance) for capturing those future emails that constitute a business record with other related business records so that they can be managed consistently regardless of format b) Establish a framework (custom folders, classification scheme, retention schedule, archiving) for better managing the volume of future emails that are only of temporary value to the council (e.g. non-records) c) Establish a framework (quarantine, gradual migration) for dealing with existing legacy of emails held by the council 5. Develop and implement legal admissibility procedures (scanning policy) a) Establish a framework for identifying the need for legal admissibility procedures based on risk b) Refine and implement the ‘Legal Admissibility Toolkit,’ where legal admissibility is required c) Establish a basic set of scanning requirements for low risk scanning projects d) Establish guidance for appropriate use of scanning and email facilities on MultiFunctional Printers (MFP’s) 12 Based on the risk of information/evidence loss and whether it would be critical. 17 Information Architecture 6. Establish and implement a Corporate metadata standard13 based on the EGovernment Metadata Standard(E-GMS)14 that will support enhanced retrieval and management a) Using the latest version of the E-GMS, review those elements that are nonmandatory but would offer additional benefits if captured b) Based on the above review, identify all elements that need to be mandated corporately for all documents and records held record-keeping systems c) Evaluate the most efficient and effective means of capturing and securely storing this information both in future and retrospectively d) Establish a mechanism for ensuring that all new/upgrade systems comply with these requirements 7. Agree standardised vocabularies as the basis for a corporate thesaurus, to ensure that agreed terms are used consistently across the council for subject classification of information,-to enhance search and retrieval. a) Agree which standard E-Service Delivery (ESD) lists15 might be adopted as the basis for the corporate thesaurus, (E.g. Integrated Public Sector Vocabulary) based on corporate metadata requirements b) Assess the potential of using ESD mappings to populate multiple metadata elements from one entry, (e.g. by selecting an IPSV term it’s respective term in other lists) c) Investigate the potential of technical solutions as referred to in Recommendation 16A to manage the lists/thesaurus (maintain and customise it based on local terms) and automate classification or mapping. 8. Develop a series of individual file-plans to collectively form a sustainable corporate file-plan (based on function rather than organisational structure) to ensure that documents and records can be held and managed consistently across the council and enable improved information sharing with partners. a) Adopt level 1 and 2 headings of the Local Government Classification Scheme16 as mandatory level 1 and 2 headings for the Corporate File-Plan. Customise level 3 and beyond with customer consultation. b) Apply business rules (security/access permissions, retention and disposal actions) to each level/file as appropriate c) Develop a workshop programme for engaging relevant staff in customisation/fileplan development. d) Prioritise developing file-plans for records resulting from common functions carried out across the council, (HR, Management, Finance, Health & Safety) e) Develop business specific file-plans for documents/records that are specific to particular areas of the council. f) Establish a process for developing and implementing a file-plan for all new record keeping systems 13 Metadata = ‘information about the information,’ that helps us to find it or manage it. 14 http://www.govtalk.gov.uk/schemasstandards/metadata_document.asp?docnum=1017 15 Please see Appendix 3 16 Please see Appendix 2 18 g) Establish a mechanism for reviewing and updating the corporate file-plan 9. Develop a Corporate Access and Security Model that identifies business areas and documents/ records that deal with sensitive information and are more likely to have requirements to restrict access to information. a) At high level identify systems and business areas that could not operate a policy of unrestricted access because of the sensitive information they hold. b) Build on the customised file-plans to apply more detailed security permissions where necessary. 10. Develop standard document templates for common types of documents/records created in the council. a) Identify common document/record types used across the council( minutes, agenda, business plans, Job descriptions, etc) b) Create a standard template for each that meets corporate branding, accessibility and records management requirements. c) Make these easily available for all staff to be able to access as part of their document creation process. 19 Standards 11. For both the development and implementation of electronic records management systems, (technical and non-technical) ensure compliance with methodologies and requirements advocated by: a) BS ISO 15489 – Records Management b) Information Technology Infrastructure Library (ITIL) c) ISO27001:2005 Information Security - Section A.7 Asset Management 12. Functionality of electronic records management systems must comply with the council’s ICT Applications and Infrastructure Standards to ensure that the council is able to specifically comply with: a) EU Model Requirements for Electronic Records& Document Management Systems (2) b) BS ISO 15489 Records Management c) ISO 27001 Information Security d) PD0008: Legal Admissibility and Evidential Weight of Electronic Information 13. Associated policies and procedures for managing electronic documents and records must be consistent with the best practice advocated in relevant standards: a) b) c) d) BS ISO 15489 Records Management ISO 27001 Information Security PD0008: Legal Admissibility and Evidential Weight of Electronic Information PD0010: Principles of Good Practice for Information Management 20 Technology 14. Develop SharePoint as a document collaboration platform: a) Identify priority business functions or candidates that would benefit from document collaboration facilities of SharePoint b) Design and develop standard architecture for SharePoint, (hierarchy of sites, security model, site templates with standard document libraries/metadata fields/content types/workflows/filters/searches) c) Establish a framework for rolling out SharePoint (assessment of business case, development of sites, training and technical/administrative support) d) Establish policy for appropriate use of SharePoint that also outlines information management policies governing it and user/administrator responsibilities for management and support e) Establish migration path of content from SharePoint repository to back office EDRM 15. Implement a complimentary EDRM solution*17 as a centralised managed repository that supports a SharePoint interface a) Conduct an information audit to inform requirements and business case b) Develop a business case for the procurement of and EDRM solution c) Establish a statement of requirements for an EDRM solution based on business requirements and MOREQ2 d) Tender and evaluate potential solutions e) Procure and customise solution, (based on agreed information architecture and business needs for integration) f) Develop a testing and implementation plan, (model office and pilots if necessary) 16. Investigate and evaluate additional tools that may not be standard as part of an EDRM solution but may add value in terms of benefits that can be achieved and improve user take-up. a) Automated content classification tools that can both remove/reduce the manual process of classifying information and metadata content (at the point of creation and retrospectively) and improve consistency of filing and search and retrieval of information by using synonyms in addition to keywords. b) Workflow tools that can support document collaboration and transactional business processes that result in documents/records being circulated and processed across the council c) Redaction tools that support a secure and convenient way of blocking out sensitive/protected pieces of information (e.g. personal data) in documents that are to be made available to the public (e.g. for Subject Access and FOI requests, or web-published documents such as planning applications) d) Complimentary web content management tools that support seamless publishing of council held information (from the EDRM) and management of this published content in line with agreed records management policies (e.g. retention periods) 17 * Please see note on alignment with strategies –this may be considered in the wider context of Enterprise Content Management 21 17. Agree an interim policy for how immediate scanning and EDRM requirements can still be met until development and rollout of the above solutions can be achieved. a) Establish a process for evaluating such requests on a case by case basis to see if it possible to postpone until a corporate solution is available b) Develop and mandate a standard statement of requirements that any interim solution (should it still be sought) will need to meet to ensure future migration/integration with a corporate solution. 22 Implementation 18. Establish a governance framework to manage these recommendations as a corporate programme of work a) Establish a corporate programme sponsor to promote the strategy and its work b) Establish a supporting programme board of ICT and corporate members to: Secure corporate commitment for the strategy and the resulting programme of work Gain stakeholder engagement and ensure a corporate mandate for the programme of work (limiting opt-outs) Oversee projects and ensure that new corporate initiatives/business plans are aligned with the strategy’s aims. c) Outline and agree a programme of works/projects d) Allocate ownership of projects (resources, responsibilities, service level agreements, etc) 19. Develop a communications plan to raise awareness of the programme and gain user engagement a) Identify and target all main corporate stakeholders accordingly b) Consider the benefits of setting up EDRM champions across the council for promoting/feeding back on the programme 20. Adopt a consistent methodology for delivering the strategy a) Adopt corporate Work Process Methodology, (WPM) as methodology for any designated EDRM related projects, - especially EDRM implementations (as this is consistent with that recommended by BS ISO 1548918 b) Ensure that all EDRM implementations are underpinned by a business case that clearly illustrates the business benefits that are to be achieved through the adoption of the technology (via a benefits management framework and focused around effective business transformation to ensure that the benefits are fully realised) . There are obvious dependencies between these recommendations, (as illustrated overleaf): Primarily it will be difficult to proceed with rolling out SharePoint or an EDRM solution until the information standards and file-plan/retention schedule and document templates are established for those business areas concerned. (It may be possible to temporarily restrict the scope so as to address email management and digital preservation at a date independent of EDRM/SharePoint rollout). The successful delivery of the strategy will be dependent on a number of recommendations concerned with the governance arrangements for rolling out the strategy. 18 BS ISO 15489 was mandated for local government in order to comply with Priority Outcome G19. 23 1.EDRM Policy 2.Corporate Retention & disposal Policy 5. Legal admissibility (scanning policy/procedures) 6. Corporate metadata standard 7. Corporate thesauri (vocabularies) 14. Develop and implement SharePoint for document management & 8. Corporate fileplan 15. Configure and implement complimentary EDRMS 9. Corporate Access and Security Model 10. Document templates/ workflows 3. Digital Preservation Strategy 4. Email management policy 17. Governance framework for EDRM programme 18. Communications Plan 19. Methodology for delivering strategy Governance (quality and critical success factors) 11. Compliance with standard methodologies 12. Compliance with ICT standards 13. Align policies and procedures with best practice 24 Priorities As there are many recommendations, it will be important to highlight those where there is a business imperative to address them earlier in the programme: Development of SharePoint framework, as this is a technology that we already have and is already being requested by customers Development of business case for a complimentary EDRM solution, as this may influence how we plan to develop and roll-out SharePoint Development of Information Architecture as this will influence how SharePoint, EDRM and associated technologies need to be configured Management of any electronic records with retention periods of longer than 10 years or permanent value to the council, (for business, historical, legal or other regulatory purposes, e.g. council minutes) Agreement on common types of electronic records that are used across the council, (HR/Finance/Management/ Information Management) that can be managed more consistently under a standard framework that can then be replicated across all applicable areas of the council Alignment with other strategies/initiatives There are a number of current and planned corporate initiatives within the council that the EDRM Strategy will support and is likely to impact upon. Where possible the Strategy has been aligned with these aims Records Management Strategy Agile Working Strategy Admin Review Adoption of ITIL Enterprise Content Management (ECM) / Project Serve Knowledge Management Framework SAP Strategy ONE Salford Review of web architecture Information security compliance Information Sharing Protocols In addition it will be important to ensure that each directorate’s own initiatives are also aligned with the Strategy. Alignment with other council policies Corporate Information Security Policy (CISP) Corporate Records Management Policy Data Protection Policy Back-up and Recovery Policy Data Quality Policy 25 Considerations in delivering the Strategy It is important to note that the delivery of these recommendations is not just about implementing policies and technology, but is about changing the way that the council and its staff works; and must also be recognised as a major change management programme, with significant cultural and training implications. There is also a large dependency on stakeholder input, (the customers’ needs to define the way that they work) and their availability may impact on delivery timescales. Therefore because of what is involved, realistic timescales for delivery of the Strategy (and its recommendations) in its entirety, is likely to be long-term, (up to 5 years). However throughout this period, customers will still have needs and it is important that as part of the Strategy that arrangement are made for how these will be dealt with. In doing so it will be important to: Decide on how to prioritise – long term strategic deliverables or immediate operational requirements Agree preferred interim solutions and arrangements, whilst the recommendations of the strategy are put in place Next Steps Obtain both senior (executive) and stakeholder support for the EDRM Strategy and the resulting programme of work (as it has a council-wide impact) Allocation of resources to deliver the recommendations in the strategy to inform the development of the EDRM Programme timetable Formally establish a programme or work, timetable and deliverables in line with the corporate Salford Programme and Project Management Methodology 26 Appendix 1: Planning the work programme Below is a list of all the recommendations with an indication of delivery time scales: ‘Short term’ - may be possible to deliver in Year 1 ‘Short to long-term’ – maybe started in year 1 but dependent on resources and implementation plan may take longer to deliver in full. 8. RECOMMENDATION Develop and implement a corporate EDRM Policy Develop and implement a corporate retention and disposal policy Develop and implement a digital preservation strategy Develop and implement an email management policy Develop and implement legal admissibility procedures, (scanning policy) Establish a corporate metadata standard Agree standard vocabularies as the basis for corporate thesauri Develop a corporate file-plan 9. Develop a corporate access and security model 10. Develop standard document templates/workflows for common document/record types Ensure compliance with standard methodologies Ensure compliance of records management systems with corporate standards for ICT systems Ensure procedures and policies are aligned with best practice standards Develop SharePoint as a document collaboration platform 1. 2. 3. 4. 5. 6. 7. 11. 12. 13. 14. 15. 16. 17. 18. 19. Implement a SharePoint compatible EDRM solution as a centralised repository Investigate and evaluate additional information tools that add value Establish a governance framework to manage the EDRM programme of work Develop a communications plan Adopt a consistent methodology for delivering the strategy TIMESCALE Short-term Short to long term Long-term Short-term Short-term Short-term Short-term Short to longterm Short to long term Short to long term On-going On-going On-going Short to longterm Short to long term Short to long term Immediate Short –term Immediate 27 It is suggested that these recommendations may be combined into a number of key projects: PROJECT *Corporate file-plan, retention schedule and document templates Email Management SharePoint development and roll-out (Possible priorities): Project sites – cross council and directorate Meeting sites – cross council ESCR interim SOLAR council minutes Team sites CRM integration EDRM implementation, (including business case and procurement) *Information Standards Project RELEVANT RECOMMENDATIONS 2, 8, 9 4, 10, 14 15, 16 1, 3, 5,6,7 Although priorities have been highlighted in the strategy itself, the impact on related projects is illustrated here: SharePoint EDRM Programme Information architecture/ standards/ policies Core information architecture, standards and policies (file-plan, retention policy, metadata standard) EDRMS SharePoint development and roll-out Development of EDRMS business case, (including statement of requirements) Bespoke (local) information architecture, standards and policies (file-plan, retention policy, metadata standard) Configuration and implementation of EDRMS Where in theory activities can be run in parallel, (simultaneously) in practice there maybe a finite internal resource, (records officer, projects services, business analysts, BPR, etc) to lead these activities, which may impact on delivery times. Although timescales could be accelerated with additional internal or external resources, it is important to understand that there is still a large dependency on stakeholder input, (the customer’s needs to define the way that they work/their needs, etc) and likewise their availability may impact on delivery timescales. 28 This model therefore reflects: The dependencies between projects (e.g. need to customise document and record systems based on needs identified as part of business analysis mainly undertaken as part of the collaboration, (SharePoint) and EDRM implementation). A roll-out model that provides a core package to customers to support generic processes; with the need to work with the customer to then further develop a local package that meets their individual business needs, (bespoke to their service). Consistency with best practice methodology for implementing EDRMS. 29 Appendix 2: Level 1 & 2 of the Local Government Classification Scheme Adult care services . Asylum seekers . Carers . Community support . Criminal justice . Residential homes . Social issues . Supporting adults . Supporting disabilities Children and families services . Adoption and fostering . Child protection . Childminding . Children looked after in care . Communications . Programme management and development . Residential homes . Social issues . Special education . Supporting children . Supporting disabilities . Training . Youth justice . Youth services Community safety and emergencies . Advice . Community safety . Emergency planning . Emergency service . Enforcement . Fire prevention . Measures against vandalism . Training Consumer affairs . Advice . Enforcement . Environmental health . Investigation, inspections and monitoring . Registration, certification and licensing Council property . Common land . Maintenance of council property . Property acquisition and disposal . Property and land management . Property use and development Crematoria and cemeteries . Burial identity and location . Maintenance of burial grounds Democracy . Decision making . Executive . Governance . Honours and awards . Member support . Planning . Representation Economic development . Business intelligence . Promotion . Regeneration . Sustainability . Tourism . Training Education and skills . Access and inclusion . Admissions and exclusions . Advice . Arts services . Curriculum development . Education welfare . Employment skills . Life long learning . Management of schools . Teaching Environmental protection . Advice . Conservation . Monitoring Finance . Accounts and audit . Asset management . Financial provisions management . Financial transactions management . Local taxation . National taxation . Payroll and pensions Health and safety 30 . Community safety . Compliance . Monitoring . Risk management Housing . Advice . Enforcement . Estate management . Housing provision . Housing stock . Managing tenancies Human resources . Administering employees . Employee relations . Equal opportunities . Monitoring employees . Occupational health . Recruitment . Terms and conditions of employment . Training . Workforce planning Information and communication technology . Infrastructure . System support Information management . Access to information . Archives . Knowledge management . Records management . Registration Legal services . Advice . Bylaws . Land registration . Land and highways . Litigation . Management of legal activities . Planning controls Leisure and culture . Allotments . Archives . Arts . Community facilities . Leisure promotion . Libraries . Museums . Parks and open spaces . Sports facilities . Sports . Tourism Management . Ceremonial . Communication support . Corporate communication . Enquiries and complaints . External audits . Preparing business . Project management . Quality and performance . Statutory returns . Strategic planning Planning and building control . Building control . Covenant control . Development control . Forward planning Procurement . Contracting . Market information . Tendering Registration and coroners . Inquiries into deaths . Marriage services . Registration of births, marriages and deaths . Treasure trove Risk management and insurance . Claims . Insuring against loss . Risk management Transport and infrastructure . Design and construction . Harbours and waterways . Highway development control . Highway enforcement . Infrastructure management . Public transport . Rights of way . Road maintenance . Road safety . School transport . Traffic management . Transport planning Waste management . Fly tipping . Street cleaning . Waste collection . Waste disposal . Waste reduction 31 Appendix 3: ESD Lists These are standardised vocabularies used for populating various metadata elements specified by the e-government metadata standard, (e-GMS). It is important for documents and records to carry associated metadata (information about the information) as it can assist with both their management and make them easier to find/search. Searching can be further improved if agreed terms are used, (e.g. “Human Resources” for all personnel related matters) so that there is some consistency in classifying similar information as the same thing. The most prominent ESD list is the Integrated Public Sector Vocabulary, (IPSV) which is a controlled vocabulary used for populating the “subject,” element in the e-Government Metadata Standard, (e-GMS). It is ISO 2788 compliant (monolingual thesauri).and mandated for all public sector resources published on external networks. (Each item must have Subject metadata with at least one valid preferred term from IPSV/LGCL19 describing the main subject of the item in question. Other lists include: LGSL: (PID list) – list of council services (outward facing not very good for internal activities or services provided by another body). Lists below are mapped to this to define characteristics of the service. This means that by populating one element it is possible to derive linked values automatically, although there may be need to customise some of these o make them fit for SCC. LGDL: Directory list, - lists depts/org who deliver these services. LGCL/IPSV: Category List (derived from APLAWS and superseded by the IPSV) –lists by subject area, (broad to narrow). Supports text search engines, (by providing non-preferred terms). Suggested as useful as a browser navigation structure for website/portal – although this may now be a use that is better satisfied by the LGNL. LGCS: Classification Scheme – organises by function and activity, (useful for records management and internal activities). (Also mapped to IPSV) LGBCL: Business Category List, (listed by sector) Also mapped to UK Standard Industry Classification List 2003 (SIC 2003). 19 The IPSV took over GCL (Government Category List) and LGCL (Local Government Category List) which are still available for existing users, but are no longer actively maintained and were to be phased out during 2006. 32 LGChL: Channel list, -defines access/delivery channels for describing/measuring e-service delivery, (e.g. face to face/electronic) The following are not mapped to the LGSL: LGIL: Interaction list (e.g. providing info/procurement) LGAL: Audience list (carers, commuters) LGTL: Type List. Defines type/purpose of the resource as a search aid, (e.g. agenda, report) LGNL: Navigation List, -useful as a navigation structure for websites. LGATL: Agency Type List defines partnership agencies that we share info with or who deliver services on SCC’s behalf. 33 DRAFT ONLY Appendix 4: External factors affecting SCC’s records management Overview Access to Information legislation Statutory requirement to manage records and information in accordance with established standards Environmental Information Regulations Data Protection Act (1998) Freedom of Information Act (2000) Lord Chancellors Code of Practice on Records Management issued under S46 of FOIA Data Protection Act, (1998) Source – see appendix Statutory deadlines for providing access to information 17,18,19 means those records have to be accessible. What are the implications for records management? Although it is not a statutory requirement to comply, there is an increased risk of breaching FOI legislation if the recommended measures are not in place. DEFRA also suggests that compliance with the Code will also be instrumental in enabling Authorities to comply with the EIR. Principle 5 - Data not to be kept longer than necessary The ‘necessary’ retention period should be established and documented in a Retention Schedule. Records should be disposed of in accordance with this to ensure that the Act is not breached by unnecessary retention. (However the Act allows for the transfer of records to an Archive for historical/research purposes if they meet ‘relevant conditions.’20) Principle 7 - Security The data needs to be protected from unauthorised processing, destruction or damage. Retention and disposal schedule would reduce the risk of untimely destruction, while the storage arrangements 20 18 20 The conditions include that data cannot be further processed to support decisions being made about the individual and that it will not cause distress to the data subject. 34 DRAFT ONLY Overview Public Records Act, (1958 &1967), instructs every person responsible for public records to make proper provision for the preservation of and access to public records including selection, preservation, deposit and access Compliance with best practice standards Section 224 Local Government Act, (1972), states that, ‘a principal council shall make proper arrangements with respect to any documents that belong to or are in the custody of the council or any of their officers.’ Code of Practice for Legal Admissibility and evidential weight of information stored electronically,” BIP 0008, (2004) BS ISO 15489 ISO/IEC27001:2005 (Previously BS 7799) What are the implications for records management? for such records will need to address protection from both human intervention and environmental hazards. It is unlikely that Salford City Council is responsible for ‘public records,’ (e.g. coroner/magistrate records not those of local authority); Salford comes under the remit of Manchester West Coroner based at Bolton. Need to further investigate the provisions for magistrates. Salford is no longer a designated place of deposit so cannot accept these for long-term. Not a statutory obligation but the ODPM has issued guidance on, ‘proper arrangements.’ This covers both the management of Authorities’ current administrative records and ‘preservation and access,’ to historical archives Compliance is not obligatory but it is encouraged, (S46 Code) to give electronic records the best chance of being accepted in court. Such procedures need to be developed on at least risk-based approach, in those areas creating electronic records, (using doc mgmt or PCs) where litigation is likely. British and International Standard on Records Management (not only a list of requirements but includes a methodology). British and International Standard on Information Technology-Security techniques-Information Security Management Systems. The Corporate Information Security Manager is tasked with aligning the Council with these requirements. Source – see appendix 21 22 35 DRAFT ONLY Overview Harper Case Civil Procedure Rules (31) EU Data Retention Directive ESCR (future proof), legacy files Source – see appendix Retention of back-up information needs scheduling and 4 disposing accordingly to minimise obligation to provide this information. Retention of electronic information needs to be managed 5 in an organised manner to facilitate a search with minimum disruption, should it be required. What are the implications for records management? Information Tribunal Ruling extending the scope of FOI to potentially include information held in back-up systems Practice direction issued to supplement CPR Rule 31. Extends the definition to specifically include electronic documents, including e-mail and other electronic communications, word processed documents and databases, (stored on computer systems and other electronic devices and media, servers and back-up systems and electronic documents that have been ‘deleted’. It also extends to additional information stored and associated with electronic documents known as metadata. It also deals with the factors that may affect the ‘reasonableness, ‘of a search. In December 2005, the EU Parliament approved the SCC may be deemed an ISP and therefore retention of EU Directive that would set out requirements for transmission (especially email) information will need to retaining data on communication traffic. be in line with this. ESCR is intended to bring together all the relevant information for a service user into one place, regardless of whether it consists of different formats, (e.g. notes, emails, video, and letters). The Department of Health has set several targets for achieving this: All new documents created or received for new cases, (video and audio not included) Oct 2005 All new audio, video for new cases April 2006 This will require an EDRMS. Any implementation needs to take into account a variety of RM needs, (BS ISO 15489 methodology) including sustainability of records for up-to 100years and legal admissibility. 16 39 36 DRAFT ONLY Overview Children’s Act (2004) EU Directive on the Re-use of Public Sector Information, (2003/98/EC) E-Government Priority Outcomes All new and pre-existing documents (inc. audio/video) for current cases Oct 2006 The establishment of an integrated Children’s Service, made up of various partners, (Police, Health Authorities, etc) with Local Authorities having the lead role for bringing partners together to implement a programme of integrated delivery and therefore being required to appoint a Director of Children’s Services between 2006-08. Should authorities want to supply their information for re-use; (using documents held by public bodies for a purpose other than the reason they created for) it stipulates how this should be done. ODPM has defined ‘Priority Outcomes,’ which Local Authorities are expected to deliver. IEG21 funding has been given for undertaking this. What are the implications for records management? Source – see appendix A file plan based on functions and activities (not depts) will be required to accommodate the re-organisation now and in the future. The increased need for information sharing with partners will require security and standardisation (interoperability) to be further investigated. 8,9,10 Potential records management public bodies will be required to Asset List of all documents that and the terms and conditions permitted. issues may occur as produce an Information are available for re-use under which re-use is 23 SCC will need to commit to undertaking the BS ISO 15489 methodology in implementing any EDRM measures or auditing current systems for compliance with DP/FOI. 6 G19 requires, “Adoption of ISO 15489 methodology for Electronic Document Records Management and identification of areas where current records management policies, procedures and systems need improvement to meet the requirements of FOI and Data Protection legislation.” 21 (Implementing E-Government) 37 DRAFT ONLY CPA Gershon Efficiencies Overview What are the implications for records management? G21 requires, “compliance with the Government Interoperability Framework, (eGIF) including the Government metadata standard, (e-GMS).” To facilitate interoperability, electronic records management systems should look at standardisation of terms for naming documents, recording standard types of information, using XML and adopting E-GMS, (particularly those elements that may support improved management of information). CPA 2005-2008 is proposing to expand its assessment of Cultural Services to include Archive Services. Pilot work by the Public Services Quality Group (PSQG) of the National Council of Archives is being undertaken to establish KPIs. Over the next 3 years, the ODPM will expect each Local Authority to achieve 2.5% efficiency gains per annum and demonstrate these in self-assessed Annual Efficiency Statements Without a publicly accessible Archive Service it is unlikely that SCC will perform well against any such KPIs. The CPA requirements will need to be clarified, (whether Archive are optional for inclusion) and work on KPIs need to be monitored. Potential RM savings include: Procurement of Commodity Goods and Services - Co-ordinated approach to arrangements for longterm record storage facilities - Co-ordinated procurement of record disposal and destruction services, (shredding). Corporate Service Efficiencies - More efficient retention and disposal of records can free-up storage space and reduce need to buy extra capacity, (especially electronic storage). Productive Time - Implementing Records Management policies and procedures to standardise processes can ensure that records are accessed and managed more Source – see appendix 7 24 38 DRAFT ONLY Overview What are the implications for records management? Source – see appendix promptly; thus reducing the time that staff spend on locating and retrieving information. Integrated Public Sector Vocabulary (IPSV) Local Government Classification Scheme, (LGCS) ISO 19005 Document management -Electronic document file format for longterm preservation Mind the Gap Greater Manchester Consistent standardisation across the public sector of terms for populating the ‘subject,’ metadata element of E-GMS, (required as part of Priority Outcome R3). It now includes internal facing terms. (Supported by EService Delivery Toolkits). Standardised classification scheme for organising records to enable organisations to manage and share information more effectively. Investigate use for categorising the information held in the FOI publication scheme. External project to map it to LGCS (below) may assist with auto-classification of documents for. 25 Should be used (adapted) as a basis for file plans to enable consistent management. It is due to be mapped to the Local Government Retention Schedule (expected June 2006). 26 Part 1: Use of PDF 1.4 (PDF/A-1) Defines a file format Need to evaluate as part of the strategy for managing based on Portable Document Format (PDF) which electronic records. aims to provide a mechanism for representing electronic documents in a manner that preserves their visual appearance over time, independent of the tools and systems originally used for creating, storing and rendering the files. A ‘state of the nation,’ report launched at the House of commons in February 2006 highlighted the need for a preservation strategy for electronic records that need to be held over 20 years. This will be a priority for records such as those created as part of the ESCR where retention period may be upto 100 years. It suggests that it would be most cost efficient to do this at the point of creation, particularly when systems are set up and that it will require a cross disciplinary team to take on responsibility for this. As part of AGMA, Salford contributes jointly to the Investigate whether Salford would be committed to funding of the GMCRO. GMCRO currently holds public funding part of this and whether any additional storage 1 14 39 DRAFT ONLY Overview What are the implications for records management? County Records Office, (GMCRO) bid records on behalf of the Council due to SCC Archive capacity for Salford would be included in this. Service no longer being recognised as a place of deposit. GMCRO no longer has capacity for further deposits and is therefore proposing re-location and a bid for a new storage facility. European Regional Development (ERDF)/Europ ean Social Funding (ESF) As a recipient of funding, SCC will have received a contract that obliges them to manage associated funding records in a prescriptive manner, (detailed in the contract). It is common for these to be requested to be kept in original form and for lengthy retention periods. Requirements for EDRMS These can be audited and non-compliance can result in funding being re-claimed by the ERDF/ESF. Both the National Archives (TNA) in the UK and the DLM Forum (European) has developed functional requirement specifications for auditing EDRMS against. DLM Forum is in the process of updating their’s to MOREQ 2, with National Archive involvement Identify those held in SCC and whether current provisions are compliant. Source – see appendix 26 Should consider the long-term costs of maintaining records in accordance with the EU requirements when making future funding bids. Need to look at applying the TNA’s spec in the local government environment and using this to assess systems against. 37,38 Need to keep up with developments on MOREQ 2, 40